Follow

Ok but why did the infosec mastodon server install a fork to let anyone put HTML in their posts? A fork with a readme that only says "anyone who uses that does so absolutely at their own risk"?

No need to bring back MySpace. @samykamkar already got it.

portswigger.net/research/steal

@sj The fix is in #Mastodon mainline though. It's not just Glitch or whatever this fork is, right?

@todb They applied hardening, but "core Mastodon was not vulnerable to this particular attack". Ordinary users can't just put HTML places in Mastodon mainline.

@sj Ah there's the complete quote:

core Mastodon was not vulnerable to this particular attack since they do not allow title attributes. It was still patched to fix replacement of placeholders such as : verified :.

That "particular," I suspect, is doing a lot of work. @gaz and @albinowax didn't happen to hit the right core attribute.

@todb @gaz @albinowax For sure, and best to patch to be safe, but I'm not convinced it's exploitable or really even functional. There might be something else required, but angle brackets in emojis do not seem to work here.

@sj I'm pretty sure a lot of people miss MySpace and having a distributed (what some term federated) alternative might actually appeal to the demographic who were middle school kids using MySpace to cut their teeth on HTML.

Having written as much, that feature set does seem as if it is a bad fit for Mastodon and a worse fit for an infosec instance, but also now a source of lulz. Don't the cynics stipulate that the biggest virus writers are actually working for AV vendors? Similar dealio. ;)

@byterhymer no conspiracy, I just think it's similar to how elite rock climbers have a high chance of dying from rock climbing accidents. Sure their skills can reduce the risk of accident in a given climb, but boy isn't it fun to try these crazy climbs!

Sign in to participate in the conversation
Scriptjunkie Social

scriptjunkie's server